Configuring Authentication Servers
This section describes the following procedures:
l Configuring an External Server for Authentication on page 156
l Enabling RADIUS Communication over TLS on page 161
l Configuring Dynamic RADIUSProxy Parameters on page 162
Supported Authentication Servers
Based on the security requirements, you can configure internal or external authenticationservers. This section
describes the types of servers that can be configured for client authentication:
l Internal RADIUS Server on page 151
l External RADIUS Server on page 151
l Dynamic Load Balancing between Two Authentication Servers on page 156
Starting from Instant 6.4.0.2-4.1 release, you can configure TACACS+ server for authenticating management
users. For more information on management users and TACACS+ server-based authentication, see Configuring
Authentication Parameters for Management Users .
Internal RADIUS Server
Each IAP has an instance of free RADIUS server operating locally. When you enable the internal RADIUS server
option for the network, the client on the IAP sends a RADIUS packet to the local IP address. The internal
RADIUS server listens and replies to the RADIUS packet. Instant serves as a RADIUS server for 802.1X
authentication. However, the internal RADIUS server can also be configured as a backup RADIUS server for an
external RADIUS server.
External RADIUS Server
In the external RADIUS server, the IP address of the VC is configured as the NAS IP address. Instant RADIUS is
implemented on the VC and this eliminates the need to configure multiple NAS clients for every IAP on the
RADIUS server for client authentication. Instant RADIUS dynamically forwards all the authentication requests
from a NAS to a remote RADIUS server. The RADIUS server responds to the authentication request with an
Access-Accept or Access-Reject message, and the clients are allowed or denied access to the network
depending on the response from the RADIUS server. When you enable an external RADIUS server for the
network, the client on the IAP sends a RADIUS packet to the local IP address. The external RADIUS server then
responds to the RADIUS packet.
Instant supports the following external authentication servers:
l RADIUS
l LDAP
l ClearPass Policy Manager Server for AirGroup CoA
To use an LDAP server for user authentication, configure the LDAP server on the VC, and configure user IDs
and passwords. To use a RADIUS server for user authentication, configure the RADIUS server on the VC.
RADIUS Server Authentication with VSA
An external RADIUS server authenticates network users and returns to the IAP the vendor-specific attribute
(VSA) that contains the name of the network role for the user. The authenticated user is placed into the
management role specified by the VSA.
Instant supports the following VSAs for user role and VLANderivation rules:
l AP-Group
l AP-Name
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide Authentication and User Management | 151
To Next Page
Loading...
Need help?
General
